The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

Why Security Matters

The security of cardholder data affects everybody.

The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.

“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.” — Quick Service Restaurant (QSR) Magazine

Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security.

Forensic investigators have discovered that security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date. It’s only by achieving and maintaining compliance that your cyber defenses will be adequately primed against attacks aimed at stealing cardholder data.

Validation of compliance with the PCI Data Security Standard is determined by individual payment brands. All have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize qualified security assessors and approved scanning vendors qualified by the PCI Security Standards Council.

The Council does not enforce compliance; this is done by individual payment brands or acquiring banks.

The PCI 3-Step Process

Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

Implementing the PCI Data Security Standard starts with scoping. This process involves identifying all system components that are located within or connected to the cardholder data environment (such an environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data).

Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.

Assessment:

A Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments.

The Assessor will:

Verify all technical information given by merchant or service provider

Use independent judgment to confirm the standard has been met

Provide support and guidance during the compliance process

Be onsite for the duration of the assessment as required

Adhere to the PCI Data Security Standard Assessment Procedures

Validate the scope of the assessment

Evaluate compensating controls

Produce the final Report on Compliance

Reporting:

Reports are the official method by which merchants and other entities report their compliance status with the PCI Data Security Standard to their respective acquiring financial institutions or payment card brand.

Quarterly submission of a report for network scanning may also be required. Individual payment card brands may require submission of other documentation; see their web sites for more information.

Depending on payment card brand requirements, merchants and service providers may need to submit a Self-Assessment Questionnaire for self-assessments, or a Report on Compliance for on-site assessments.